Conduent data breach 2025: 10.5 million affected in one of the year’s largest cyber incidents
Conduent data breach
American business services company Conduent has confirmed a massive data breach affecting more than 10.5 million people, following reports submitted to various U.S. state Attorneys General in recent weeks. The disclosure marks one of the largest data incidents of 2025 and raises new questions about cybersecurity preparedness among major outsourcing firms serving both public and private sectors.
Conduent, a global business process outsourcing (BPO) provider spun off from Xerox in 2017, offers digital and data-driven solutions for government agencies and major corporations. The company employs roughly 56,000 people across 22 countries and reported $3.4 billion in annual revenue. Its operations span healthcare, transportation, finance, and government administration — industries that handle vast amounts of sensitive personal data.
According to the company’s notification, the breach compromised personally identifiable information (PII) such as names, Social Security numbers, dates of birth, health insurance details, and medical information. In filings with state officials, Conduent stated that, as of October 24, 2025, there is no evidence that the exposed data has been misused.
However, the scale of the incident is significant. Oregon’s Attorney General’s Office reported that 10.5 million residents were affected, while separate filings in Texas, Washington, and Maine revealed 4 million, 76,000, and a few hundred impacted individuals, respectively. Given that Conduent provides services to numerous states and large enterprises, cybersecurity experts believe the true scope of the breach could be considerably higher.
The timeline of events suggests the breach began months before its discovery. Conduent revealed that the unauthorized access started on October 21, 2024, but the company only detected and contained the intrusion on January 13, 2025. During that time, cybercriminals reportedly exfiltrated a range of files containing customer and client data.
Earlier this year, Conduent disclosed a cybersecurity incident that caused temporary service outages across several government platforms. While the company did not initially specify the nature of the disruption, the Safepay ransomware group claimed responsibility in February, asserting that it had gained access to confidential systems.
Subsequent investigations and a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC) in April confirmed that hackers had stolen files containing personal and customer-related data. The latest notification indicates that these findings were part of a broader breach that unfolded over several months.
Despite the scale of the exposure, Conduent has not offered complimentary identity theft protection or credit monitoring to victims — a move that has drawn criticism from some cybersecurity advocates. Instead, the company advised affected individuals to obtain free credit reports, place fraud alerts, and consider security freezes to mitigate the risk of identity theft.
In its statement, Conduent emphasized that it has restored all affected systems, cooperated with law enforcement, and strengthened its security measures. “Upon discovery of the incident, we safely restored our systems and operations and notified law enforcement,” the company said in its notice to affected individuals.
Conduent’s extensive client list includes over 600 government and transportation agencies and roughly half of Fortune 100 companies. The company’s digital platforms support nearly 100 million U.S. residents across 46 states, magnifying the potential implications of the breach.
The investigation remains ongoing, with authorities and cybersecurity experts monitoring for any misuse or sale of the stolen data on underground networks. As large-scale ransomware and data theft attacks continue to rise globally, the Conduent incident underscores the persistent vulnerabilities within critical service providers that handle sensitive personal and governmental data.
FAQ
What happened in the Conduent data breach?
Hackers gained unauthorized access to Conduent’s systems between October 2024 and January 2025, stealing files containing personal information of millions of people.
How many people were affected?
According to official filings, more than 10.5 million individuals have been impacted, with Oregon reporting the highest number of victims.
What kind of data was exposed?
The breach involved names, dates of birth, Social Security numbers, health insurance IDs, and medical information.
Who was responsible for the attack?
While Conduent has not confirmed the attacker’s identity, the Safepay ransomware group has claimed responsibility.
What is Conduent doing about it?
The company says it has restored systems, involved law enforcement, and is notifying all affected individuals. However, it is not offering free credit monitoring or identity theft protection.
